Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0128: Analytic 0128

Execution of commands to enumerate virtualization-related files or processes (e.g., '/sys/class/dmi/id/product_name', dmesg, lscpu, lspci), or querying hypervisor interfaces prior to malware execution.

EnterpriseAN0128AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0128 focuses on Linux command activity that checks whether a system is virtualized, such as reading DMI product data or running tools like dmesg, lscpu, and lspci. For leaders, the value is not the individual commands alone; it is that this behavior can indicate software assessing its execution environment before proceeding, which matters for malware analysis, SOC triage, and confidence in endpoint monitoring.

Executive priority

Treat this as a coverage-validation item for Linux endpoint monitoring and incident readiness. Security leaders should ask whether SOC teams can distinguish normal infrastructure inventory activity from suspicious pre-execution environment checks, and whether IR teams can preserve enough command and process evidence to understand what happened before malware or suspicious tooling ran. This is most relevant to organizations with Linux servers, cloud-hosted Linux workloads, or security sandboxes where virtualization-awareness may affect investigation quality.

Technical view

Validate Linux visibility for process execution involving virtualization and hardware-enumeration artifacts referenced by ATT&CK: access to /sys/class/dmi/id/product_name and execution of commands such as dmesg, lscpu, and lspci. Because no official detection logic or ATT&CK relationships were supplied, detections should be environment-specific and baseline-aware. SOC teams should correlate these commands with parent process, user context, command line, working directory, nearby file execution, and whether the activity occurs immediately before unknown or suspicious binaries run.

Likely telemetry

  • Linux process creation events with full command line, parent process, user, and timestamp
  • Endpoint security or EDR telemetry for shell and binary execution
  • Audit logs or file access telemetry for reads of /sys/class/dmi/id/product_name and similar virtualization-identifying files
  • Command execution history where available and appropriate for investigation
  • System logs that show use of dmesg or related hardware-enumeration commands

Detection direction

  • Baseline legitimate use by administrators, configuration management, asset inventory, and diagnostics before alerting on these commands alone.
  • Prioritize correlations where virtualization-enumeration commands are launched by unusual parents, temporary paths, scripts, recently dropped files, or non-administrative users.
  • Look for tight timing between environment-enumeration activity and subsequent execution of unknown binaries or malware-suspect processes.
  • Tune for Linux workloads specifically; no other platform is supported by the supplied ATT&CK object.
  • Account for blind spots where command-line logging, parent process capture, or file access auditing is absent or short-retained.

Mitigation priorities

  • Ensure Linux endpoint telemetry captures process creation and command-line detail with sufficient retention for incident response.
  • Maintain baselines for approved administrative, inventory, and provisioning tools that commonly enumerate hardware or virtualization state.
  • Limit unnecessary access to sensitive hypervisor or virtualization interfaces where operationally feasible, and monitor access that remains required.
  • Prepare SOC playbooks that treat virtualization-enumeration as context to investigate, not as a standalone incident without corroborating evidence.
  • Use incident response reviews to confirm whether suspicious execution was preceded by environment checks that may affect malware analysis or sandbox results.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Linux virtualization-enumeration behavior before malware execution. It has no supplied tactics, relationships, aliases, or official detection logic, so this take emphasizes defensive validation and telemetry readiness rather than a specific detection rule.

This assessment is limited to the official STIX fields and external reference provided for AN0128. It does not establish attribution, active exploitation, impact, or guaranteed detectability. Local baselines are required because the referenced commands can be normal administrative or inventory activity.

Official MITRE ATT&CK definition

Analytic 0128

Execution of commands to enumerate virtualization-related files or processes (e.g., '/sys/class/dmi/id/product_name', dmesg, lscpu, lspci), or querying hypervisor interfaces prior to malware execution.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a8d68dd31fb32c6d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a8d68dd31fb3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0128
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use